CAE Pulse – Report: Cyber Risk on the Rise, Including From Third Parties Such as Vendors

Managing this area requires considerable time from executives and board members.

Cyber incidents are on the rise, with almost 700 cyber incidents reported among the 3,000 largest publicly traded companies in the U.S. in the two years leading up to January 2024, new research shows. One-third of those reporting breaches said they involved the compromise of a supplier or another third party.

Additionally, incidents that affected many individuals were more likely to have a third party as the root cause, according to Managing Cyber Risk: Breach Risk Trends in Public Companies, published by advisory firm ISS-Corporate. “Managing these risks is critical, and consequently consumes a significant amount of time, money, and attention of C-suite executives and board members,” the report reads. “It has also gotten increasing attention from regulators.”

The report points out that the new disclosure requirements from the U.S. Securities and Exchange Commission (SEC) have already compelled a change in behavior by publicly traded firms. The SEC now requires timely market notification of breach events, annual disclosures regarding cyber risk management practices, and management and board involvement in oversight. As of February 2024, roughly 35% of the top 3000 firms in the country were providing regular cybersecurity briefings to boards of directors. By June, this had increased to more than 98%.

Ransomware has played a starring role in the largest and most headline-grabbing recent breaches, the report says. Those include the 2023 incident that shut down MGM Resorts in September and an attack that crippled UnitedHealth in early 2024. MGM Resorts reported a $100 million impact on its third-quarter results. UnitedHealth CFO John Rex has indicated that the full-year costs will total between $1.4 billion and $1.6 billion.

To mitigate risk, the report says, boards should evaluate both direct and upstream suppliers. Strategies include conducting cybersecurity audits and vendor assessments, as well as minimizing over-dependence on specific vendors. It is also critical to maintain close collaboration between board members and IT leaders and to institute continuous cybersecurity education for boards, regular briefings, and in-person workshops.